Disclosed is a flood attack detection method, wherein the total number of keywords of a source packet is acquired, and the number of feature parameters corresponding to the source packet is acquired. A ratio of the number of feature parameters to the total number of keywords is compared with a preset threshold, and if the ratio is greater than or equal to the preset threshold, it is determined that a flood attack occurs.
|
3. A flood attack detection apparatus, comprising:
a processor configured to:
receive source packets transmitted from a plurality of hosts, wherein the source packets include text content; and
count a total number of the received source packets carrying a keyword in a predetermined time to obtain a total number of the source packets with the keyword, wherein each received source packet's text content carries the keyword;
obtain a number of failure response packets in response to the received source packets transmitted from the plurality of hosts, wherein each of the failure response packets is generated and sent by a destination host of a source packet in the source packets, and indicates a request for resource on the destination host which causes a failure;
calculate a ratio of the number of the failure response packets to the total number of the source packets with the keyword;
compare the ratio with a preset failure threshold; and
determine that a flood attack has occurred when the ratio exceeds or is equal to the preset failure threshold.
1. A flood attack detection method, the method being carried out by a computer device having a processor, comprising:
receiving, by the device, source packets transmitted from a plurality of hosts, wherein the source packets include text content; and
counting, by the device, a total number of the received source packets carrying a keyword in a predetermined time to obtain a total number of the source packets with the keyword, wherein each received source packet's text content carries the keyword;
obtaining, by the device, a number of failure response packets in response to the received source packets transmitted from the plurality of hosts, wherein each of the failure response packets is generated and sent by a destination host of a source packet in the source packets, and indicates a request for resource on the destination host which causes a failure;
calculating a ratio of the number of the failure response packets to the total number of the source packets with the keyword; and
determining that a flood attack has occurred when the ratio exceeds or is equal to a preset failure threshold.
2. The flood attack detection method of
performing, by the device, keyword feature filtering on the source packets, and the packets left is the source packets carrying the keyword.
4. The flood attack detection apparatus of
a storage unit, configured to storage a data table consisting of the total number of the source packets carrying the keyword and the number of the failure response packets.
|
This application is a continuation of U.S. patent application Ser. No. 12/390,664, filed on Feb. 23, 2009, which claims priority to Chinese Patent Application No. 200810095023.X, filed on Apr. 23, 2008, all of which are hereby incorporated by reference in their entireties.
1. Field of the Invention
The present invention relates to a communication technology field, and more particularly, to a flood attacks detection method and a detection device.
2. Description of the Related Art
A Distributed Denial of Service (DDOS) attack is one type of flood attacks, which mainly refers to that the attacker controls a large quantity of infected hosts to form an attack network by using a main control host as a platform (which may have multiple levels or multiple layers), so as to perform a large-scale attacks of service denial to an affected host. This attack may usually magnify the attack of a single attacker by levels, so as to cause a significant influence to the affected host, as well as severe network congestion.
One method of detecting the DDOS attack is a traffic anomaly detection. The principle of the traffic anomaly detection lies in that the packet traffic of each protocol is evenly varied in a normal situation and will only be significantly varied after being affected by some specific attacks. The traffic anomaly detection is usually divided into two stages. One is a study stage, including studying through some sample traffic so as to establish an initial analysis model. Further, the system enters an operating stage, collects the packet traffic and performs traffic statistics, performs an analysis on the traffic model, and compares the analysis with the initial analysis model. If the difference of the two is greater than the threshold, it is determined to be abnormal; otherwise, traffic study is performed, and the initial analysis model is modified continuously.
Another method of detecting the DDOS attack is a packet transmission frequency detection. As a result of the DDOS attack, a feature of large traffic is usually presented, and the traffic is usually inter-related to the packet transmission frequency of the packet. Therefore, the packet transmission frequency can be counted, and then the result is compared with the threshold. If the result is greater than the threshold, it is determined to be abnormal; otherwise, it is determined to be normal.
One of the challenges in implementing detecting DDOS attacks is the accuracy. As for the traffic anomaly detection method, if the attack is a flood attack under a small traffic, the variation of the traffic in a short term is not obvious, so that the attack may not be detected by using a simple traffic analysis algorithm. In some normal requests, such as proxy or Network Address Translation (NAT) service, a large traffic may also be found during a short time period, so that an error of the attack detection may occur. As for the packet transmission frequency detection method, it is difficult to detect the attack under the small traffic. In some normal requests, such as proxy or NAT service, the error of detection may occur as well.
In an embodiment, the present invention provides a flood attack detection method, which includes the following steps. The total number of keywords of a source packet is acquired. The number of feature parameters corresponding to the source packet is acquired. A ratio of the number of feature parameters to the total number of keywords is compared with a preset threshold, and if the ratio is greater than or equal to the preset threshold, it is determined that a flood attack occurs.
In an embodiment, the present invention further provides a detection device, which includes: an acquisition unit, adapted to acquire the total number of keywords of a source packet and the number of feature parameters corresponding to the source packet; and a processing unit, adapted to compare a ratio of the number of feature parameters to the total number of keywords with a preset threshold, and determine that a flood attack occurs if the ratio is greater than or equal to the preset threshold.
These and other features will be more clearly understood from the following detailed description taken in conjunction with the accompany drawings and claims.
For a more complete understanding of this disclosure, reference is now made to the following brief description, taken in connection with the accompanying drawings and detailed description, wherein like reference numerals represent like parts.
It should be understood at the outset that although an illustrative implementation of one or more embodiments are provided below, the disclosed systems and/or methods may be implemented using any number of techniques, whether currently known or in existence. The disclosure should in no way be limited to the illustrative implementations, drawings, and techniques illustrated below, including the exemplary designs and implementations illustrated and described herein, but may be modified within the scope of the appended claims along with their full scope of equivalents.
Disclosed herein is a method and device for detecting flood attacks. In one embodiment, the packets received by the same protected destination host are detected, if the received packets transmitted from a plurality of hosts all have similar text contents, it is assumed that the destination host is under the DDOS attack of these hosts. In another embodiment, if the text contents of the received packets transmitted from a plurality of hosts can alert randomly, the response packets in response to the received packets is detected. If a high error ratio of the response packets is detected, it is also considered that the destination host is under the DDOS attack of these hosts.
Hereinafter the embodiments of the present invention will be illustrated in detail with reference to the accompany drawings.
In step 101: The total number of source IP packets with the keyword and the repetition number of text hash string from the source IP packet are determined; the keyword may introduce a series of different keywords, such as “Get” or “post”. In the following description, it takes the keyword “Get” for an example.
In this step, the total number of source IP packets with the keyword and the repetition number of hash string from the text of the source IP packet are determined according to a pre-configured data table.
Hereinafter the data table in this embodiment of the present invention is introduced firstly.
Referring to
A source IP validity mark in the second layer indicates whether the record is valid or not. An initial packet receipt time in the second layer indicates the time of receiving the first data packet carrying the keyword during an aging period. The total number of source IP packets with the keyword, such as keyword number n1 for source IP1, keyword number n2 for source IP2, keyword number n3 for source IP3, . . . keyword number ni for source IPi, indicates the total number of the packets carrying the keyword during the aging period. The failure number indicates the total number of the failures of the response packets to source IP packets with the keyword.
A key sentence hash string in the third layer indicates a string of a fixed length, i.e., a key sentence hash string obtained by performing a hash transformation on a specific length selected from the key sentence carrying the keyword. A time in the third layer indicates the time of the latest repetition packets during the aging period, which may be altered constantly. A repetition number in the third layer indicates the number of the packets having the same key sentences which can be transformed by hash into the same key sentence hash string. A validity mark in the third layer indicates whether the key sentence hash string is valid or not.
After the packet is received, a protocol resolution is performed on the packet, usually to the application layer, and then a protocol classification is performed, such as, classifying into a regular Hypertext Transfer Protocol (HTTP), or a Domain Name System (DNS) protocol. After the protocol classification is finished, a feature filtering is performed to keep the packet carrying the keyword, for example, among the HTTP packets, the packet carrying “get” is left. After the feature filtering is performed, the packets are grouped according to the destination IP, i.e., according to whether the destination IP belongs to a protected IP. If yes, the packets are grouped, and filled into the first layer in the data structure. Thereafter, the record having the same source IP in the second layer is searched, the record is created if not being found, and then the source IP validity mark, the initial packet receipt time, and the total number of the record may be amended. After that, a hash transformation is performed on a fixed length of the key sentence of the text of the packet, and if the length of the key sentence of the text of the packet exceeds the fixed length, the hash transformation may be performed after the length is truncated, and a key sentence hash string is formed after the hash transformation is finished. Afterwards, the same key sentence hash string is searched throughout the third layer. If the same key sentence hash string can be found, the repetition number is added by 1, and the time field of the key sentence hash string in the third layer is modified. Otherwise, a new term is created, and the time and the repetition number are modified correspondingly. If the response to the received packet fails, the corresponding failure number in the second layer is added by 1. After the above process, the configuration of the data table of the embodiment of the present invention is accomplished.
In step 102, whether the ratio of the repetition number of the text hash string from the source IP packet to the total number of source IP packets with the keyword exceeds a preset similarity ratio threshold is determined. If yes, step 103 is performed, otherwise, step 104 is performed.
In step 103, it is determined that a DDOS attack occurs.
In step 104, it is determined as a normal situation.
The above process is described in detail as follows.
It is assumed that, in a period of time, the table in the second layer has n records of the source IP, and the third layer has m records of the key sentence hash string. It is assumed that the total number of source IP packets with the keyword in the ith source IP is total[i], the repetition number of the jth hash string of the ith source IP is sam[i][j]. During a set valid period, the key sentence hash strings with the repetition number greater than a threshold are picked up, the repetition number of similarity is counted, and the ratio of the repetition number of similarity to the total number of source IP packets with the keyword is compared with a preset similarity ratio threshold. If the ratio is greater than or equal to the similarity ratio threshold, it is determined that the source IP is one of the attack sources.
The program codes are illustrated as below but are not limited to this, and other program codes may be used to achieve the same goal. int count[n];
for(int i=0;i<n;j++)
{
count[i]=0;
for(int j=0;j<m;j++)
{
If(sam[i][j]>= repetition number threshold&& valid[i]==true)
{
count[i]+= sam[i][j];
}
}
If( count[i]/total[i] >= similarity ratio threshold )
{
Do_Flood_Action1(&IP[i]); // IP[i] is one of the DDOS attack sources
}
}
Referring to
In step 401, the total number of source IP packets with the keyword and the failure number of the response packets to the source IP packets are determined.
In this step, the total number of the source IP packets with the keyword and the failure number of the response packets to the source IP packets are determined according to a pre-configured data table.
The data table in this embodiment of the present invention is the same as that illustrated in the first embodiment, and will not be repeated herein.
In step 402, whether the ratio of the failure number of the response packets for the source IP packets to the total number of source IP packets with the keyword exceeds a preset failure threshold is determined. If yes, step 403 is performed; otherwise, step 404 is performed.
In step 403, it is determined that a DDOS attack occurs.
In step 404, it is determined as a normal situation.
The above process is described in detail as follows.
It is assumed that, in a period of time, the table in the second layer has n records of the source IP, and the third layer has m records of the key sentence hash string. It is assumed that the total number of source IP packets with the keyword in the ith source IP is total[i], the failure number of the ith response packets of the source IP is fail[i]. The failure number of the response packets is counted, and the ratio of the failure number of the response packets to the total number of source IP packets with the keyword is compared with a failure threshold. If the ratio is greater than or equal to the failure threshold, it is determined that the source IP is one of the attack sources.
The program codes are illustrated as below but are not limited to this, and other program codes may also be used to achieve the same goal.
for(int i=0;i<n;j++)
{
If(fail[i]>= failure number threshold&& fail[i]/total[i] >= failure
threshold)
{
Do_Flood_Action2(&IP[i]); // IP[i] is one of the DDOS attack sources
}
}
Referring to
It should be noted that, the method in the embodiment of the present invention is illustrated by taking the DDOS attack as an example, but is not limited to this, and the method can also be applied in the flood attacks detection in DNS or in other application protocols.
The flood attacks detection method according to the embodiments of the present invention is illustrated above in detail, and correspondingly, an embodiment of the present invention further provides a detection device.
The detection device includes an acquisition unit 601 and a processing unit 602.
The acquisition unit 601 is adapted to acquire the total number of source IP packets with the keyword and the number of feature parameters of the source packet.
The processing unit 602 is adapted to compare the ratio of the number of feature parameters to the total number of source IP packets with the keyword with the preset threshold. If the ratio is greater than or equal to the preset threshold, it is determined that the flood attack occurs; otherwise, it is determined as a normal situation.
The acquisition unit 601 includes a first acquisition unit 6011 and a second acquisition unit 6012.
The first acquisition unit 6011 is adapted to acquire the total number of source IP packets with the keyword.
The second acquisition unit 6012 is adapted to acquire the number of feature parameters of the source packet. The number of feature parameters is the repetition number of the text hash string from the source IP packet, or the failure number of the response packets to the source packet. When the number of feature parameters is the repetition number of the text hash string from the source packet, the preset threshold is a preset similarity ratio threshold, and when the number of feature parameters is the failure number of the response packet of the source packet, the preset threshold is a preset failure threshold.
The detection device further includes a storage unit 603.
The storage unit 603 is adapted to store the data table consisting of the total number of source IP packets with the keyword and the number of feature parameters of the source packet. The total number of source IP packets with the keyword of the data table is obtained by calculating the number of the source packets carrying the keyword received within a preset time. If being the repetition number of the text hash string from the source packet in the data table, the number of feature parameters of the source packet is obtained by comparing the text hash string acquired from the hash transformation on the received source packet with the stored text hash string. If being the failure number of the response packet of the source packet, the number of feature parameters of the source packet in the data table is obtained by calculating the failure packet number of the response to the received source packet.
The abovementioned source packet refers to the source packet obtained after the keyword filtering. The data table is grouped using a destination address of the source packet as an index, and the total number of source IP packets with the keyword and the number of feature parameters of the source packet are stored in each group using the source address of the source packet as an index.
Based on the above, by making full use of all features of the flood attack, in the embodiments of the present invention, the total number of source IP packets with the keyword and the number of feature parameters corresponding to the source packet are acquired, and the ratio of the number of feature parameters to the total number of source IP packets with the keyword is compared with the preset threshold. If the ratio is greater than or equal to the preset threshold, it is determined that the flood attack occurs. In this way, the detection method is more accurate and simple.
Furthermore, in the technical solution of the embodiments of the present invention, under the circumstance that the packet carries the keyword normally, the number of feature parameters is the repetition number of the text hash string from the source packet, and under the circumstance that the packet carries the keyword randomly, the number of feature parameters is the failure number of the response packet of the source packet. In this way, the flood attack can be effectively detected under different circumstances.
Though the flood attack detection method and the detection device have been disclosed above by some exemplary embodiments of the present invention hereinabove, anybody skilled in the art can make some modifications and variations without departing from the spirit and scope of embodiment the present invention. Therefore, the specification should not be understood as the limitation to the present invention.
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
6901517, | Jul 16 1999 | Ericsson AB | Hardware based security groups, firewall load sharing, and firewall redundancy |
7818795, | Apr 07 2005 | MARVELL ISRAEL M I S L LTD | Per-port protection against denial-of-service and distributed denial-of-service attacks |
20040054925, | |||
20050010817, | |||
20060010389, | |||
20060107318, | |||
20080086434, | |||
20080271146, | |||
20080307524, | |||
CN101018156, | |||
CN101267313, | |||
CN1578231, | |||
CN1719783, | |||
CN1750536, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Sep 26 2012 | CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO , LIMITED | HUAWEI DIGITAL TECHNOLOGIES CHENG DU CO LIMITED | CHANGE OF NAME SEE DOCUMENT FOR DETAILS | 034537 | /0210 | |
Nov 09 2012 | JIANG, WU | HUAWEI TECHNOLOGIES CO , LTD | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 029382 | /0887 | |
Nov 20 2012 | Chengdu Huawei Symantec Technologies Co., Ltd. | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Sep 13 2018 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Sep 07 2022 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Date | Maintenance Schedule |
Mar 24 2018 | 4 years fee payment window open |
Sep 24 2018 | 6 months grace period start (w surcharge) |
Mar 24 2019 | patent expiry (for year 4) |
Mar 24 2021 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 24 2022 | 8 years fee payment window open |
Sep 24 2022 | 6 months grace period start (w surcharge) |
Mar 24 2023 | patent expiry (for year 8) |
Mar 24 2025 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 24 2026 | 12 years fee payment window open |
Sep 24 2026 | 6 months grace period start (w surcharge) |
Mar 24 2027 | patent expiry (for year 12) |
Mar 24 2029 | 2 years to revive unintentionally abandoned end. (for year 12) |